A computer system typically includes an operating system. Computer processes running on the computer system may attempt to access at run-time the computer system's file system, system configuration, and/or network stack.
Need to Enforce Run-Time Policies on Computer Processes
A computer system needs the ability to perform enforce run-time policies on computer processes executing on the computer system. If a computer process that is configured to prevent intrusions into the computer system is running on the computer system, the computer system may need to enforce restrictive policies for a web-browsing program (which needs to be sandboxed to minimize damage to the system) and more permissive policies for a program used to update applications on the system. Thus, such a system would want to be able to (i) persistently attach a particular policy with a particular program executable residing on the system and (ii) reliably locate and enforce this attached policy, when the program is launched and starts performing activity.
Prior Art Systems
One prior art system applies policies based on the user-id under which the process is executing. This prior art system does not allow for differentiation of policies on a per-process level when all processes are executing under the same user-id. Furthermore, on a computer system running a Microsoft Corporation Windows operating system (hereinafter “Windows”), running application processes under separate user-ids would cause usability issues since the user-profile settings (such as Desktop and “my documents” folders, and the current-user registry-hive) would be completely different for each user-id.
Another prior art system identifies processes based on the executable-name (not the entire file-path). This limitation exists because the documented application program interfaces (APIs) in Windows for receiving process-creation information do not always supply the entire-path of the executable being launched. Undocumented means (such as operating-system-call hooking) are available, but suffer from reliability and portability issues.
In addition, another prior art system (in Windows) provides a hard-coded set of policies that can be enforced on a per-program basis. Unfortunately, this hard-coded set of policies cannot be meaningfully extended by third-party developers who wish to enforce their own policies during program execution. Prior Art FIG. 1 is a block diagram a typical prior art system.
Therefore, a method and system of specifying and enforcing at least one run-time policy for at least one computer process executing on a computer system, where the computer system includes a computer operating system, is needed.